IBM has announced a prototype anti-spam technology that it claims is eliminating 99% of incoming spam in lab tests. The software, FairUCE (Fair use of Unsolicited Commercial E-mail), looks at the identity of the e-mail sender, as opposed to the more common technique of filtering spam by analysing the content of e-mails.
FairUCE sits on your e-mail server and works by looking at the e-mail address, domain and originating computer. This ”identity management” approach to spam links the inbound e-mail back to its original Internet Protocol (IP) address using lookup databases provided by the sending domain, and by referring to caches of IP information held locally. The sender domain identity and related information are the only things considered.
The technology is similar to other authentication schemes, notably Microsoft’s Sender ID and Sender Policy Framework (SPF), formerly known as Sender Permitted From. The key difference is that these solutions require each domain to publish lists of authorised domains, whereas FairUCE uses existing domain information to create its own ”reputation” rating.
IBM says FairUCE makes an ”educated guess” about the sender’s legitimacy, and stresses that IBM sees it being used in parallel with other systems, such as content filtering.
FairUCE marks incoming mail as either authorised or unauthorised, which means it suspects it is fake or ”spoofed” (not sent from the address claimed). The e-mail administrator can choose to either automatically send an e-mail ”inquiry” to the sender, or simply to show the flags to the user. The inquiry can be as simple as a check box to confirm that the e-mail really originated from the sender. For this reason, critics say the technology relies on what is known as ”challenge/response” methodology — a technique that became popular two years ago, whereby unknown senders are sent e-mails asking them to confirm their identity before their e-mail is actually delivered.
Challenge/response systems have been criticised for potentially swamping the net with challenge e-mails, and are seen as ineffective because they are often ignored.
IBM appears keen to portray its system as being different from these. Speaking recently at an IBM forum, FairUCE developer Mathew Nelson, of the IBM Advanced Technology Group, said: ”I say ‘inquiry’ rather than ‘challenge’, because we’re not asking if the sender is human, just if they are who they say they are, at least to the domain level. Unfortunately, most people stop reading the moment they see the word ‘challenge’. They tell me it’s been tried before and that it cannot possibly work, because of mailing lists, legitimate bulk mail, receipts, you name it. Please don’t be one of those people.
”When you introduce sender identity, the game changes completely. You’re no longer sending challenges to mailing lists, or legitimate bulk mail, or the vast majority of people who use e-mail. You’re no longer sending challenges to legitimate businesses, small or large, or vanity domains, or Hotmail, Yahoo, AOL etc users.”
But Andrew Lochart, senior director of marketing at e-mail security firm Postini, is not impressed. ”I don’t see how this has raised the bar,” he says. ”We looked at sender identification systems and decided they don’t really help. The main problem is that spammers can easily get legitimate domains for as little as £30 for 10 years. So they often use dozens of legitimate domains to send e-mails that look valid. We believe it is far more important to monitor ‘behaviour’ because a good domain can go bad very quickly by virtue of being taken over by a spammer.”
Postini is one of many firms that quarantine domains that appear to be sending spam — by virtue of screening the content and constantly looking for patterns of activity from any given domain.
David Feeney, business development manager for Symantec’s BrightÂÂmail, is more upbeat. ”IBM is right to see this as a complementary approach,” he says. ”We will have to wait and see how well this technology works. My main concern is that it can only stop 80% of spam e-mails, so users still need to think about methods to deal with the rest. If it proves effective as a way of reducing the volume of spam coming into the network, then that is definitely a good thing.”
Some critics say a problem with the technology is that it would sometimes be challenging PCs that have been taken over by spammers (known as bots, or robot machines), but that such computers are rarely e-mail servers, so the challenge e-mails would not get through to them. One developer in a forum on BroadbandReport.com added: ”If your machine is taken over to send 5-million spam e-mails, it could trigger 5-million challenge e-mails, effectively amounting to a denial of service attack on your machine.”
IBM hits back at critics by arguing that content filters require significant maintenance, and have to do a great deal of processing to handle the many complex rules that are applied to weed out spam. IBM also plans to add Sender Policy Framework to the technology so that SPF-enabled domains will not be challenged.
Take-up of the technology is likely to be limited because it is only available for Linux-based mail transfer agents using Postfix, which is far less widely used than SendMail and Qmail.
Links
FairUCE is available through IBM AlphaWorks and can be downloaded from the company’s website. – Guardian Unlimited Â